gofiber/fiber

๐Ÿ› [Bug]: CORS Middleware, URL-protocol check too strict

aaronz-vipaso opened this issue ยท 3 comments

Bug Description

When I try to start my fiber application, which has a CORS origin configured with a protocol other than http or https, the application panics.

Specifically, KaiOS devices need to have a CORS origin configured with the protocol: app://


isValid, normalizedOrigin := normalizeOrigin(trimmedOrigin)
if !isValid {
panic("[CORS] Invalid origin format in configuration: " + trimmedOrigin)
}

func normalizeOrigin(origin string) (bool, string) {
parsedOrigin, err := url.Parse(origin)
if err != nil {
return false, ""
}
// Validate the scheme is either http or https
if parsedOrigin.Scheme != "http" && parsedOrigin.Scheme != "https" {
return false, ""
}

How to Reproduce

Steps to reproduce the behavior:

  1. Configure the origin app://example.com in the CORS middleware
  2. Start fiber
  3. -> App panics

Expected Behavior

Do not panic, but allow origins with any protocol.

Fiber Version

v2.52.5

Code Snippet (optional)

package main

import (
	"github.com/gofiber/fiber/v2"
	"github.com/gofiber/fiber/v2/middleware/cors"
)

func main() {
	app := fiber.New()

	app.Use(cors.New(cors.Config{
		AllowOrigins: "https://example.com, app://example.com",
	}))

	app.Get("/", func(c *fiber.Ctx) error {
		return c.SendString("Hello, World!")
	})

	app.Listen(":3000")
}

Checklist:

  • I agree to follow Fiber's Code of Conduct.
  • I have checked for existing issues that describe my problem prior to opening this one.
  • I understand that improperly formatted bug reports may be closed without explanation.

Thanks for opening your first issue here! ๐ŸŽ‰ Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

gaby commented

I have to check the RFC to see which protocol schemes are allowed

@gaby
The RFC of the Origin header (RFC 6454: The Web Origin Concept) does not restrict the protocol (scheme).

The CORS protocol, in general, is not defined in an RFC but in the W3C recommendation titled "Fetch standard" under 3.2. This one also doesn't restrict the protocol.